homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / New To Web Development
Forum Library, Charter, Moderators: brotherhood of lan & mack

New To Web Development Forum

This 34 message thread spans 2 pages: 34 ( [1] 2 > >     
Best Practice Protecting WordPress Against Hackers
My website hacked twice....

 1:58 pm on Oct 24, 2008 (gmt 0)

Guys this is too frustrating, my Wordpress website has been hacked twice and on both occasions I think they are trying to extort me.... the first time I deleted this index file he placed there and then the site was back to normal. I upgraded to the latest version of Wordpress and changed my password.

Then I realized I was hacked a month later. The support people keep saying that I must update my password regularly to protect my domain but this has never happened on any other webhost, like GoDaddy.

Please help me out here guys what do I do...what are the best practices to stop this from happening again?



 2:17 pm on Oct 24, 2008 (gmt 0)

Keep WP, PHP, and xSQL updated to the latest versions, change your passwords often using "strong" passwords like "a13!z97_rqq9-17hl" instead of "bill21", deny Web access to all script, log, stats, and control panel directories, use SFTP to access the site for uploads/downloads, disable FTP, telnet, and shell access, and "harden" your scripts to accept only limited and specified inputs*.

If you still get hacked, change hosts.

* Many people take the wrong approach to securing scripts, in that they attempt to "filter out" what they don't want to accept as input. SQL injection attacks are based on this error.

A better approach is to filter input based on what you *will* accept, and reject everything else. If you think about the effects of an error or omission using each of these approaches, the advantages of the "allow-only" approach become clear.

For example, if you use the "filter out bad input" approach and you forget to filter out a particular string, then that string can be used to hack your site. On the other hand, if you forget to allow a certain harmless and valid string while using the "allow only this input" approach, then your site will be broken temporarily. While that may not sound attractive, the fact is that such a problem is one that can be very quickly discovered and corrected -- and more importantly, it won't result in a hack.



 2:22 pm on Oct 24, 2008 (gmt 0)

If you have install the latest version of WP, then the security glitch is in one of the plugins you are using.

Usually, you go to log file to fetch information about your hacker or see any strange URL being called, etc...

Not sure that changing password regularly will help. Make sure all your plugins are up to date and do some search on the net for each of name "[plugin name] hack" to see if your plugins are vulnerable.


 2:35 pm on Oct 24, 2008 (gmt 0)

The problem with WP is that you will always need to keep downloading the latest versions because it will get hacked. If you truly want to prevent hacking you can always learn how to build your own site.


 9:47 am on Oct 25, 2008 (gmt 0)

when wordpress is hacked, usually the hacker injects into the post data iframes or javascripts with malicious code.
upgrading wordpress won't help if you didn't clean your database.
select your posts for content like "%iframe%" or javascript, make sure you don't miss uppercase lowercase tricks.
Besides that, if your sites makes any money and you can afford spending a few hundred dollars a year, look for a vulnerability scanner and subscribe to it. This assures you that the minute a new exploit is discovered to the security world, it is tested on your site to make sure that you are safe.
In your case, I'm not sure that the wordpress is the problem, since you said that you have upgraded more than once. It might be that in one of the previous hacks a backdoor was installed on your server and now it is used every now and then. There are scanners that can discover these backdoors as well.


 12:32 pm on Oct 25, 2008 (gmt 0)

I've come to expect these types of topics at least once or twice a week around here.

My website was hacked...

It's not only here either but all over the Internet. Websites are getting hacked by the second and being exploited to the nth degree.

See what happens when an Open Source Software package goes mainstream? I've never been real fond of the Open Source thingamabob until recently. We're rebuilding WordPress on Windows and redoing everything to avoid these types of things to the best of our ability anyway. ;)

I've read some stories recently where free themes have been the underlying source of hacks and some of them are pretty brazen. And then of course you have the plugins. Running a WordPress website has become a challenge to say the least, unless you are running a hosted solution with WP themselves. Even then, there are still constant attempts to find new exploits.

WordPress need to do something soon to nip this in the bud. Maybe all WP installations need to be monitored by one resource? Maybe by the creators of the platform? I know, that would be a monumental task but, something has to give. This whole hacking thing is out of hand. How far out of hand? Enough to where websites are now being tagged in the SERPs as being unsafe.

Google have their own problems in this area. Their blogging platform is getting hacked at this very second. I KNOW, I'll get Google Alerts sometime today referencing company names and leading me to hacked and/or spammed Google Blogs. What a mess they have over there. I look at the host names on these Google Alerts and have to wonder how they even get by the system.

WordPress users beware, that is all I can say. I'm getting ready to join you too but with a different platform to avoid the issues regular WP users run into. We don't want to deal with that. ;)


 1:25 pm on Oct 25, 2008 (gmt 0)

Whoa, stop with the WordPress blame. Modern versions of WordPress are tested and reviewed more closely than a lot of other software because of such heavy use.

If you are on a shared server you are being hacked within the server.
You can't just replace the one file, they usually leave a backdoor.

If you are on a vps or dedicated, when you are hacked you need to replace all system files otherwise they will leave a backdoor to get in again.

You are likely getting hacked via plugins or other software on your account that's not completely vetted.

If you are on a vps or dedicated you need a serious firewall like CSF.

Oh and if you have public directories with chmod 777, the attack could be coming from anywhere on your shared host.


 1:50 pm on Oct 25, 2008 (gmt 0)

Oh and as far as best practices:

Make sure your server is running a firewall like CSF or APF
(if on a shared host and they are not, change hosts)

Make sure your server has the most current version of apache+PHP
(if on a shared host and they are not, change hosts)

Make sure your PHP has security restrictions like open_basedir
(if on a shared host and they don't use it, change hosts)

Make sure you don't have public directories that are chmod 777 on a shared host

Recommended: remove version number announcements from apache, php and wordpress

Recommended: remove xmlrpc.php from wordpress

Consider getting your own VPS so you can setup security properly.


 1:52 pm on Oct 25, 2008 (gmt 0)

Lets go back to the OP..
Guys this is too frustrating, my Wordpress website has been hacked twice and on both occasions I think they are trying to extort me

Extortion implies somebody wants something from you, (money maybe)... So, what do you mean by that statement?

"Hacked"... What do you mean by this? Site defaced? Comment spam? Site diverted?

Other than a public defacement where the hacker is just showing they can change your site, anyone with monetary gain in mind will have inserted a redirect to their own site, Adsense code, etc..

Someone trying to extort something from you will be telling you, "Leave an envelope containing XYZ... and come alone"...

So, please explain more what is happening to your site.


 12:07 am on Oct 26, 2008 (gmt 0)

I would not leave out the probability of the client being infected with backdoors, worms, troyans. especially if it's been hacked twice in a month on a same domain event after wordpress updates.


 12:59 am on Oct 26, 2008 (gmt 0)

The best way to avoid a hacked WordPress site, if you must use it, is let WordPress themselves host it. For a very small annual fee the blog will even appear on your domain name and they have it secured, no threat of your server being hacked.

Other software may also have vulnerabilities but nothing I've ever read about has the same level or even comes close to comparing to the hacker friendly Swiss cheese holes of WordPress and/or it's plug-ins.

Your safest bet is no WordPress whatsoever.

[edited by: incrediBILL at 12:59 am (utc) on Oct. 26, 2008]


 6:50 am on Oct 26, 2008 (gmt 0)

Your safest bet is no WordPress whatsoever.

That's not fair, at all. Every major blog or cms software has been hacked at one time or another. Movabletype, Drupal, Joomla all have security vulnerability fixes every few months.

WordPress just has far more users so it gets far more attention.

Most of all, we still don't know if this was WordPress related.
What if they spend a week changing software and get hacked again?


 8:20 am on Oct 26, 2008 (gmt 0)

That's not fair, at all.

Not everything is fair.

Trying to secure WordPress is a nightmare, the hackers dream under constant search and invade, and the only way to get rid of a nightmare is to wake up and use something less of a target and more secure.

It's like a car accident, I didn't have to cause the situation to know enough to take the side streets to avoid it.


 9:38 am on Oct 26, 2008 (gmt 0)

Get an asp.net blog nobody will try to hack that. A php blog is going to be the biggest target. Hackers all know php very well.


 2:19 pm on Oct 26, 2008 (gmt 0)

If you are saying using WordPress makes you a target then maybe the answer is to make WordPress not "look" like WordPress. You can rename the wp-admin directory and delete xmlrpc.php and remove version number announcements and any hacker scanning for wordpress triggers should then fail.

Not to tempt fate but my oldest WordPress blog is from 2004 and I have dozens of clients using WP as well. No one has been hacked. Maybe I'm just lucky, or maybe it's the way I run my servers? I dunno. Nothing is bulletproof, the key is to keep on top of things (and nothing beats a good backup routine).


 3:41 am on Oct 27, 2008 (gmt 0)

The thing I've seen lately: folks who don't upgrade, run an old version then get smacked with lots of spammy links added to the header &/or footer files of the active theme, all due to known exploits that have been fixed in later releases.

But it's hard to keep up with all the updates and such, especially if you aren't in it all the time.
(not everyone spends as much time online as the denizens of WebmasterWorld ;))


 5:23 am on Oct 27, 2008 (gmt 0)

the answer is to make WordPress not "look" like WordPress.

That's even worse because upgrading to get patches is no longer simple so people procrastinate and it's usually beyond the ability of most webmasters without the assistance of a programmer.

Hackers don't procrastinate.


 6:04 am on Oct 27, 2008 (gmt 0)

If you are saying using WordPress makes you a target then maybe the answer is to make WordPress not "look" like WordPress. You can rename the wp-admin directory and delete xmlrpc.php and remove version number announcements and any hacker scanning for wordpress triggers should then fail.

That will help but its something I would consider as another layer of security and not something I would rely on. As far as the version number any software maker that has this in the footer is quite frankly asking to get their software hacked. This was removed from phpBB a few years ago, they even allow you to change the copyright text to an image if you wish so the "powered by phpBB" string is not searchable. That's not going to prevent someone from searching for a string in the URL that might be common to it or even common to a particular modification.

On the other hand if the stock install has this you may be able to fly under the radar of a lot of hackers.


 6:19 am on Oct 27, 2008 (gmt 0)

The "hard to upgrade" idea is also completely wrong.

You can do anything you want to your templates (themes) but leave the core alone an you can instantly upgrade to any newer version. There's even automatic updates available via plugin but new version notification has been available (and on by default) since version 2.3

If you use svn, you can even do slight modification to core files and still maintain the most current versions.


 6:44 am on Oct 27, 2008 (gmt 0)

Also, if you host different websites in the same server (like add-ons website, etc.), do not forget to change authorisation for accessing your Mysql database (that is create an user, give authorisation to access ONLY your Wordpress database) so that your hacker can not mess up with database from you other websites.


 7:11 am on Oct 27, 2008 (gmt 0)

leave the core alone an you can instantly upgrade to any newer version

In that case you're left too many footprints and they'll still find you.

I have a few scripts used to locate WordPress sites that I captured from botnets trying to infect my machines and you would be amazed at all the things they look for in order to detect WordPress.

Therefore, you either do some major overhaul to avoid those scripts which thwarts upgrading easily or you avoid it altogether and just roll the dice, or host with WordPress which is safest.

[edited by: incrediBILL at 7:11 am (utc) on Oct. 27, 2008]


 8:58 am on Oct 27, 2008 (gmt 0)

hackers do not look at your website. They look at your files. Wordpress has a very unique footprint that you can't hide from hackers. You would have to go change a lot of file names and that would really screw up future upgrades.


 11:45 am on Oct 27, 2008 (gmt 0)

Hackers can't scan millions of sites like Google can so easily.
Instead they use search engines to find patterns on words on a page ie. "powered by WordPress"
It's fairly easy to defeat those patterns, any SEO worth their salt can easily figure it out.
These patterns are in your themes, not the core, so they are safe to change.


 4:02 pm on Oct 27, 2008 (gmt 0)

I just have to wonder: Is it possible to have the benefits of a personal publishing platform without the ever lengthening record of security problems?

In other words, can't the folks behind WordPress create a simplified version of a personal publishing platform - WordPressLite - that is rock solid?

Since it's a GPL licensed product has anyone attempted to take the code, gut it and reduce it to a product that offers 100% of what is needed to publish with only 95% of the bells or whistles that makes for added vulnerability?

Really, where is a simple, designed for security version of WordPress?

Why isn't there a WordPress community that has taken that mission upon itself? You mean there's no call for it?


 5:15 pm on Oct 27, 2008 (gmt 0)

can't the folks behind WordPress create a simplified version of a personal publishing

It doesn't need simplification, it simply needs a security code review before being released. Someone with a security background needs to check the code at all access points for vulnerabilities.

However, that would only secure WordPress which still leaves all the plug-ins and themes that need the same kind of testing otherwise you're still leaving it wide open.

What the heck, it's free, you get what you pay for! ;)


 5:30 pm on Oct 27, 2008 (gmt 0)

Aaron Wall at SEOBook.com recently wrote about a WordPress Hack that uses cloaking to target Google IP addresses. Here is a quote from that post...

In fact, for this particular hack you can't even see the links on Google's cached version of a page unless you view the text cache version of the page.

Some pretty nasty stuff being injected through the above hack.

How do you lock down an application when you have hundreds if not thousands of plugins available? After seeing all the topics about WordPress Blogs being hacked, I'd have to say that hosting your Blog with WordPress is probably the best alternative if you do not have the ability to secure the platform yourself.

How does one manage their reputation when the platform they are using to build that reputation on is being undermined? I know, it can happen to anyone at anytime. It happens to Windows, IE, Firefox, everyone. Build it and they will hack.


 6:00 pm on Oct 27, 2008 (gmt 0)

So there's lots of support for WordPress and lots of support for plugin creation but there's no community of security minded folks who are prepared to offer their version of support to the project?

There isn't a WordPress security forum of some kind, one that is sponsored by WordPress.org, that is dedicated to closing the holes?

There aren't plugin design standards against which new plugins can be scrutinized for creating holes where one didn't exist? Is it so hard, when creating a new plugin, to avoid creating a new security hole?

Why not imposed a "vetted for security" standard on plugins - at least those that posted to the WordPress.org site? Does this exist?

Forget the plugins and themes and all that, why isn't there a simplified bullet proof version of WordPress? In other words, 2 versions: You want bells and whistles OR do you want simplified publishing with a security lock that only simplicity can offer?

I know simplicity isn't a guarantee but it sure seems that every new add-on creates a new opportunity for exploitation.

WordPress lite and secure, anyone? Can it be done?


 6:30 pm on Oct 27, 2008 (gmt 0)

The light and secure approach is how phpbb3 went about things with a heavy emphasis on security and it shows. The light approach was more aimed at performance, I'm not sure light is the exact temr as its is quite a large package with many features. It's been almost a year since it's been released with two updates since and there's no major or even minor exploits that I'm, aware of. They also went through a paid security audit before the gold release.

I don't know how Wordpress handles things but any modifications that get the official nod of approval for phpbb3 must meet strict coding guidelines. Each mod is validated by a team member once submitted.

phpbb3 also employs an auto update feature that makes it easy to update modded boards.

Last but not least all mods that gain approval have an option to subscribe to them so you can be notified via email if there are any updates, this last feature is probably the biggest concerning the security of mods.

It's a lot of work and very few mods have been released in the last year but I think it's well worth the effort and the inconvenience.


 6:58 pm on Oct 27, 2008 (gmt 0)

WordPress lite and secure, anyone?

It obviously can be secured as WordPress hosts it themselves and it's not hacked all the time so that should tell you something.

Each mod is validated by a team member once submitted.

One team member isn't nearly enough to validate code for security because one person can easily overlook something that a team of review people might not miss.


 7:18 pm on Oct 27, 2008 (gmt 0)

amznVibe that is not true. There are search engines that just show blogs. It would be very easy to make a bot that just types in keywords into the blog search engine and scrape all the url's that are returned and then send a bot to visit all those sites. You could also then take all those url's and scrape blogrolls. Only an armature would just search google for the word "wordpress" in google and just stop there.

These same people are then getting accounts on the same host and hacking into the blog. I had somebody do that to me once because I left permissions open to 777.

The way I found out was that google penalized my site. After I contacted google through webmaster tools they sent me a copy of my source code showing a bunch of hidden links to male enhancement drugs. I fixed the problem and told google about how I was hacked and that I had fixed it and they put my rankings back up.

This 34 message thread spans 2 pages: 34 ( [1] 2 > >
Global Options:
 top home search open messages active posts  

Home / Forums Index / WebmasterWorld / New To Web Development
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved